01:34:30qwertyoruiop:qwertyoruiop is now known as Guest92930
02:44:58Guest92930:Guest92930 is now known as qwertyoruiop
03:48:05Guest6680:Guest6680 is now known as qwertyoruiop
10:17:58cr3pe:cr3pe has left #bitcoin-wizards
10:20:46airbreather_1:airbreather_1 is now known as airbreather
12:45:20nsh_:nsh_ is now known as nsh
15:58:31gmaxwell:The stupid, it burns: https://bitcointalk.org/index.php?topic=581635.0
16:02:12sipa:gmaxwell: /ignore is your friend
16:02:35gmaxwell:I'm sure not responding.
16:04:04gmaxwell:But it's concerning and sad that there isn't anyone with a sensible response (like Bitcoin can't just be changed like that by a bunch of people running alternative software; or PoS appears to be non-viable) in the first page.
16:08:26jgarzik:gmaxwell, nobody clueful has the energy to respond to the 1,000,000th unoriginal, stupid proposal in a calm, education-laden manner :)
16:09:56gmaxwell:sure, but why didn't someone half-clueful respond pointing people to some of the N other times this sort of thing has been discussed?
16:16:41sipa:gmaxwell: because half cluefull people either don't visit the forums, or think the same as you :)
16:18:10gmaxwell:I would have responded if it wasn't on page 11 by the time I saw it. :P
16:18:22gmaxwell:At this point it would be pointless.
16:18:57sipa:make a new post :p
16:19:50gmaxwell:I think I'll ask 'cbeast' or 'itod' to edit their front page post to include some useful points.
17:28:32reipr:Anyone have experience using https://github.com/ConceptPending/proveit ?
17:28:42reipr:The numbers are not adding up for me in my tests.
17:31:54reipr:I've followed the instructions on the site, generated the string for my users to verify it. The root node sum does not equal the sum of all the other nodes
17:32:19reipr:Im summing it myself using decimal.Decimal
17:33:54reipr:nvm, sorry to bother I got it
17:35:11gmaxwell:reipr: what was it?
17:36:54reipr:I wasnt summing the nodinfo node as well.
17:37:02reipr:Its still not verifying, but thats not the reason
17:37:16reipr:Im not sure why at this point why its not validating
18:00:06reipr:nope, doesnt verify.
18:00:16reipr:Validates on the backend, but not the frontend
18:03:11reipr:Hopefully its something that I am doing. I wanted to use the static-verify.html in the exact form from github and tell my users that they can see its the same, or if they are more comfortable they can use the static-verify.html from the guthub page
18:03:37reipr:github*
18:05:46Dizzle:Dizzle is now known as Guest90072
18:18:33BCB:problem is when a reader seems someone mention "proof of work" or "proof of stake" they just assume the poster knows wtf they are talking about (because most of the readers don't have any idea what that means) and the FUD begins.
18:20:00tacotime:Proof of stake really refers to a collection of complicated systems, some of which are implemented and some of which are theoretical.
18:20:13tacotime:Whereas proof of work is just a simple concept.
18:24:40hearn:i sometimes ponder whether you could build a bitcoin-like consensus system on a stream of digital signature votes
18:25:07hearn:that is, handwave and assume some central authority maps people to keys 1:1. now how do you build a p2p consensus method on top of that
18:25:08gmaxwell:hearn: depending on what you mean by bitcoin like, sure— trivially.
18:26:29hearn:i guess i mean, with a block chain. i.e. the same, except that people vote by signing with their key instead of hashing
18:26:57gmaxwell:hearn: you require that every block be signed by half the keys. If you try to have one signature one block you run into the problems that the POS coins have (but that implementation works for that)
18:27:21hearn:i’d like to assume an open world. no pre-registration of keys. miners come and go as they please.
18:27:59hearn:or at least, within limits, i.e. you can assume there is no extremely sudden spike or fall in miners, as bitcoin assumes some kind of smoothness in the mining power curve
18:28:13hearn:also: scalability, etc.
18:28:55hearn:i was wondering if you could potentially have lots of signatures on recent blocks, and then use SCIP to compact the signatures down, i.e. run sig checking under zkp and attach the proof
18:31:46gmaxwell:Most of the POS problems go away if you can afford quorum signing (e.g. using some compression of the signatures) and can prohibit parties from signing a parallel fork (e.g. by invalidating their keys if they do).
18:35:04hearn:i’d think there’s still the conceptual issue that the set of rich people and set of people who wish to run full nodes might not overlap that much
18:35:49gmaxwell:Sure, but I don't think from a consensus algorithim perspective that matters much, I just meant you could get one from the other by changing how you manage that set of keys.
18:36:50hearn:to invalidate someone’s keys because they signed two parallel forks, i guess you’d need to be able to embed a proof that they did it into the chain itself, so that key blacklisting is permanent and recorded
18:36:52amiller:the timing element is important too
18:37:16zooko:* zooko reads with interest.
18:37:42gmaxwell:POS in its simples forms runs into problems where nothing discourages you from mining multiple forks, in fact you're rather encouraged, since doing so increases the odds that your blocks will have a high density in the chain (e.g. keep trying histories until you find one where you are the selected keyholder for all the blocks). So most of the proposals in that space are around fixing that.
18:38:24jgarzik:heh, in office we just talked about event chains, targeting applications that need to coordinate near-real-time events like gaming environments. Spawned by that mailing list quick-block thing from Sergio.
18:38:25tacotime:that'd be an interesting way to do it. i'd just been using PoW to prevent forks for my implementation; without very strong PoW it doesn't work.
18:38:29amiller:lets say you had a perfect form of that countermeasure, where if anyone gets a whiff of two signatures then you're signature is no good, is there any obscatle left?
18:38:56jgarzik:It was interesting to consider incentivizing miners to choose chains based on variable difficulty
18:39:06gmaxwell:PPC 'addresses' this by requiring POW blocks, and having the developer sign them, and only basing the stake selection on the POW. (otherwise the security just reduces to POW but with no promise the POW is strong)
18:39:08jgarzik:Higher PoW target implies higher fees, etc.
18:39:50hearn:i must admit i never studied proof of stake much
18:40:01tacotime:It's amusing to see that BlackCoin hasn't trainwrecked yet.
18:40:11gmaxwell:As far as I can tell NXT is protected by the code not being completely open. 0_o
18:40:17hearn:does it not lead to people who already own a lot of coins being able to mine more blocks, and thus become even wealthier?
18:40:24tacotime:As it's using PPC PoS but no PoW.
18:40:34gmaxwell:hearn: the PoS reward is very small.
18:40:58tacotime:hearn: yes, that's why on my fork I always made PoW reward 2x PoS reward. But yeah, in PPC it's only 1% per year.
18:41:17gmaxwell:tacotime: funny, PPC originally didn't have the behavior I just described. and it was attacked, with the PoS-nothing-at-stakeg-grinder solving all the blocks, but it surived because the developer block signing mechenism.
18:42:34tacotime:gmaxwell, Right. BlackCoin tried to get around this by reducing search space for timestamps in the future to 10 minutes, but I suspect that within a reasonable timespan someone will attempt a doublespend and throw the network into catastrophe.
18:42:36hearn:you can create a proof of double-chain signing by taking two blocks and then presenting a chain of headers from both blocks back to a single parent block. perhaps even using the smartspv proofs
18:42:58nsh_:nsh_ is now known as nsh
18:42:58hearn:such a proof should be small enough to embed into the block chain itself, leading to invalidation of that signer. *if* you have some kind of stable/expensive miner identity, of course
18:43:14tacotime:hearn: I'm not sure if you read vitalik's proposal, it was something along those lines
18:43:29hearn:not sure which proposal you mean, so i guess i didn’t read it.
18:43:36tacotime:hearn, http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/
18:46:13gmaxwell:tacotime: in the original ppc the search window was limited too, (though I don't recall how limited, I think part of the point of the checkpoints was to be able to advance the clock if it got stuck), but the attack didn't limit itself to replacing the tip, if it couldn't mine on the tip it would cut further back and just try to find two blocks and so on.
18:46:51amiller:note that in vbuterin's proposal, the point is to eliminate PoW, yet the security relies on timing 2000 blocks is hard to get, yet only proof of work is able to ensure that
18:47:15hearn:yeah. it’s sort of circular.
18:47:17tacotime:gmaxwell, right, the "stake modifier" thing. they included that as well, but i'm not sure how much security that really affords.
18:47:34amiller:also it's absolutely invalid reasoning to say that you use "stake" to mine blocks, but that stake is somehow outside the value of a coin
18:47:39amiller:you might as well burn bitcoins directly.
18:47:49amiller:if "stake" is useful, then you can sell your stake and it's part of your wealth
18:47:57gmaxwell:hearn: a lot of these things are. The problem is that there is no strong impossibility proof so people go keep throwing hurestic solutions at it which are increasingly hard to analyize .. but ultimately it seems most have non-trivial weaknesses.
18:48:09amiller:you can't say for one context it's a valuable resource, and yet argue for another context it's outside the value
18:48:55gmaxwell:tacotime: well ultimately these developer-signs things are as secure as control of that key is.. which means that they can have rather great security esp if the coin is (nearly) worthless or completely junk security, and you can't really tell which.
18:50:15gmaxwell:(I think it's somewhat horrifying that none of them even use threshold signatures, personally I'd be worried about my safety if the value took off and I held the one key to rule them all.)
18:50:29hearn:going back to a theoretical world where people have keys and certs, and those keys/certs have some tangible value. let’s ignore how that’s achieved for the sake of thought experiment. i wonder, is it possible to use something like difficulty adjustment where the more signatures that are gathered per block, the more signatures become required to create a block. so there’s no requirement that everyone be known at the start b
18:50:30hearn:system grows, creating alternative chains requires a larger number of bad actors
18:50:59hearn:assuming that keys can be banned if they double mine
18:51:35amiller:there are a lot of kinds of bad behavior that you can't detect
18:51:49amiller:especially anything that looks like "omitting" data, because you might not have been told about that data to begin with
18:51:58amiller:that's what it looks like when you try to mine on history rather than on the most recent block
18:52:08hearn:i meant bad actor in the strict block chain sense - an attacker who is trying to rewrite the chain
18:52:22amiller:yes trying to rewrite the chain is one of those
18:52:38amiller:unless the same key is used to sign blocks in both chains
18:53:16gmaxwell:hearn: and total work is just the number of signatures?
18:53:18hearn:well eventually you have to be able to sign in both chains, otherwise natural forks would result in miners dropping out forever. but i guess as long as you don’t sign in sections of the chain that are actually much parallel
18:53:29hearn:gmaxwell: i guess. not sure. thinking out loud
18:53:49gmaxwell:hearn: sounds reasonable-ish to me, though since it's always ramming right against the limit it might become impossible to produce the next block (e.g. if some signers go offline)
18:54:14gmaxwell:though perhaps you could have a local clock that let you sign with fewer after a while.
18:54:31gmaxwell:might be unstable around the tip though.
18:54:40hearn:assuming all possible signers take part all the time, yes
18:54:57hearn:otherwise if say, 10% of possible signers mine, then if some drop out, it just takes longer to make a block as the others have to notice things have slowed down and decide to step up
18:55:52hearn:i wonder if an equilibrium can be designed where of all possible miners, some mine and some don’t, but the system is self adjusting so there’s always some percentage that are active
18:56:26gmaxwell:I suppose you could be rewarded for inactivity by somekind of weighing since your last usage.
18:58:21zooko:Joe Bonneau presented some nascent new research along these lines at the Princeton workshop, which he called "Agile Tokens".
18:59:46gmaxwell:Hm. I hadn't noticed the link there. I suppose, though IIRC the agile tokens the coin owners picked which sequencing servers they used.
19:00:14zooko:Yeah I think that's the main idea of Agile Tokens.
19:05:44hearn:zooko: is there anything i can read on that topic?
19:07:17zooko:hearn: I'll ask Joe Bonneau if he/I can share a draft with you.
19:11:41zzyzx:zzyzx is now known as roidster
19:12:11roidster:roidster is now known as Guest34559
19:16:48reipr:yay. If anyone is interested, the hash creation functions bewtween the js and the python do not match, that is the problem
19:16:50hearn:zooko: thanks.
19:17:04reipr:the python uses the pipe delimeter to seperate fields, the javascript does not
19:17:17hearn:zooko: could you give me a quick summary, maybe? there are sequencing servers?
19:17:44zooko:The basic idea is: there are any number of servers, a la Certificate Transparency and Sovereign Keys and other such ideas.
19:18:06zooko:And, the additional idea from this research is: the token comes with a list of which of those servers are authoritative for the next hop of this token.
19:18:46hearn:each token can have more than one? resolved through simple majority voting, or … ?
19:19:04zooko:Yes. Don't recall.
19:19:16hearn:right. so the idea is it’s sort of like with a bank, except each time the coins change hands, the “banks” also change?
19:19:38zooko:Like Certificate Transparency, a notary can only a) fail, b) notarize correctly, or c) double-notarize,
19:19:43zooko:and c) is instant death penalty.
19:19:50zooko:hearn: yeah!
19:20:11hearn:right. lots of academic e-cash works have some kind of assumption that double spending can be punished after the fact, in them
19:20:30zooko:* zooko nods.
19:20:40zooko:I don't think this one assumes anything very strong along those lines.
19:20:56zooko:"Death penalty" means people won't include that notary in their notary-sets ever again.
19:21:10hearn:right
19:21:14jgarzik:* jgarzik is just not as worried about the current double-spending brouhaha
19:21:15hearn:assuming they know about it
19:21:27jgarzik:Merchant business incentives handle a lot of it.
19:21:29hearn:so you need an unjammable broadcast channel anyway i guess, to distribute proofs of double signing
19:21:40hearn:jgarzik: how so?
19:22:06jgarzik:hearn, e.g. pointless to double-spend on a physically shipped good
19:22:20jgarzik:hearn, or an account or subscription
19:22:32jgarzik:hearn, basically anything except instant digital goodness
19:22:48hearn:or anything in person
19:23:08hearn:that may not represent a big chunk of bitpay’s business today, but what about tomorrow?
19:23:11zooko:Good points, jgarzik.
19:23:41jgarzik:double-spends tend to apply largely for hit-and-run, never-see-you-again customer scenarios
19:23:52jgarzik:s/for/to/
19:24:29jgarzik:hearn, double spends definitely happen today, without any need for miner collusion. Just network racing is plenty sufficient.
19:24:42jgarzik:hearn, They are resolved on a case-by-case basis, and the activity always stops immediately.
19:24:47hearn:zooko: i quite like the simplicity of the agile tokens idea. i wonder if the other servers could be turned into the unjammable channel, as they have an incentive to inform you if their competitors were cheating
19:25:08zooko:hearn: nice thought. Why the hell isn't Joe Bonneau in this channel.
19:25:36jgarzik:Long term double spending never happens.
19:25:37hearn:i wonder what quantity of servers you need to avoid your coins getting stuck due to servers naturally going offline
19:25:50zzyzx_:zzyzx_ is now known as zzyzx
19:27:33hearn:zooko: though it is in effect just the no-double-spends-as-a-service idea, with sets of anti-double-spenders.
19:27:50hearn:zooko: but trying to maximally decentralise them to take their own reputation out of the equation. which seems hard.
19:27:52jgarzik:The higher level point is that you don't always need a purely technical solutions, when economic & game theory incentives exist for certain avenues of attack.
19:27:57jgarzik:*solution
19:27:58hearn:actually maybe i like the idea less now i’m thinking about it more :)
19:27:59andytoshi:gmaxwell: re that stupid PoS thread, the person who started it (who also posted on bitcoin-development) contacted me privately to ask what the problems with PoS are. he seemed open-minded enough (or maybe he's just a good politician). he offered to buy me lunch at some point. i gave him a quick overview of PoS problems and linked to asic-faq.pdf, we'll see how that goes
19:28:19hearn:right. it’s just the same, actually
19:28:49hearn:zooko: the issue is - how do I know the notaries are not in collusion with (or actually are sybils of) the spender? you need some kind of long term stable identity for that. same thing as having authenticated miners, in effect
19:29:34nsh:where's this agile tokens written up--- oh, not anywhere publically yet...
19:30:42zooko:hearn: right, I think that means that you don't accept that currency.
19:30:53zooko:The currency which is notarized by a bunch of sketchy outfits that you don't like the look of.
19:31:30hearn:then we end up back at banking. pretty much what i said on the bitcoin-development thread: if you need lots and lots of people all to agree on a set of parties who are trustworthy and uncorruptible, you probably don’t have lots of them
19:31:39gmaxwell:andytoshi: I'm not shocked, though the problems with his post go beyond POS, like thinking you can change how bitcoin works in that respect just by convincing a bunch (but decidely not everyone) to run some software.
19:31:40hearn:it’s sort of like the CA problem
19:31:59hearn:i mean, there are quite a lot of CA’s given the cost of running them actually. but it’s not like becoming a CA is as easy as becoming a miner
19:32:37phantomcircuit:jgarzik, there's very few digital goods which actually cost something to delivery and cannot be retracted after the transaction is confirmed as double spent
19:32:44phantomcircuit:indeed i am yet to find a single example
19:33:17nsh:any remotely revocable authorization to use a service
19:33:43hearn:phantomcircuit: huh? software? music? movies?
19:34:02phantomcircuit:hearn, none of those things have any significant cost to deliver
19:34:03nsh:well, you can't take those back, unless they rely on third party to be usable
19:34:18zooko:hearn: do you still want me to ask J Bonneau to send you a draft? ☺
19:34:52hearn:akamai would disagree with you. but it’s not delivery cost that matters, it’s just “cost”. these goods have a price. if someone doesn’t pay them, that’s accounted as a loss of that much money. please don’t start a stupid “piracy is harmless” argument - the people _selling the items_ would perceive losses due to double spending as theft, and those are the people who matter.
19:35:02hearn:zooko: maybe :) he may have thought of these things
19:36:16phantomcircuit:hearn, it costs very close to nothing to deliver things via akamai if you're doing it in any bulk
19:36:30jgarzik:hearn, no so, as _on-going_ double spending is unlikely
19:36:44jgarzik:hearn, as soon as a pattern emerges, you're sunk
19:36:48jgarzik:*not so
19:36:51hearn:jgarzik: who is sunk?
19:36:57jgarzik:the attacker
19:37:11hearn:who is ….. ?
19:37:16hearn:i mean, are you ID verifying every bitpay customer?
19:37:23phantomcircuit:you can get 20TB/month on a 10gbps line for ~$400/month
19:37:25hearn:s/customer/end user/ ?
19:37:32phantomcircuit:(that's level3 connectivity)
19:37:51jgarzik:hearn, huh? Not sure how that avenue of thought emerged.
19:38:03jgarzik:hearn, "sunk" -- your attack stops making money, and LEAs are probably notified
19:38:04phantomcircuit:that's 0.02$ per GB
19:38:05hearn:phantomcircuit: bandwidth costs vary a _lot_ around the world. i used to manage an akamai setup for google maps in australia and new zealand. it was extremely expensive. but anyway, see above - it’s not delivery costs
19:38:33hearn:jgarzik: and what info do you give to LE? my point is, you’re saying double spending is not an issue because double spenders can be punished. but how do you know who is doing it? bitcoin tx doesn’t tell you that
19:38:56phantomcircuit:hearn, if you're seriously worried about people double spending to steal digital goods which they can already trivially pirate, then im going to have to call your concern absolutely fucking insane
19:39:34hearn:phantomcircuit: yes that is normally how conversations with you end :) never mind. i don’t care what you think about that. i care what sellers think, and they would not agree with you. by definition. otherwise they wouldn’t be sellers, they’d give their software away for free.
19:39:59zooko:zooko has left #bitcoin-wizards
19:40:35midnightmagic:* midnightmagic hugs the strong-worded people.
19:40:36jgarzik:hearn, the identity of the attacker is irrelevant. the point being made is that an attack will not be continual. people will take a look at server logs and block the attack or do whatever needs to be done. It is a standard griefer attack, not a critical business attack.
19:40:57jgarzik:hearn, there is clear economic incentive to stop asshole customers
19:42:09jgarzik:hearn, For BitPay specifically, it is up to the merchant to determine their level of risk RE confirmations and to take action if any funny business occurs.
19:42:25hearn:ah. well, this is technically right but practically not very useful. i’ve seen what it takes to control carding fraud at google (i.e. double spending). it’s ugly as hell and is sort of sticking fingers in the dyke. quite high losses are written off as an unavoidable cost of doing business. part of why bitcoin is attractive to merchants is they _don’t_ need crazy machine learning models trying to analyze browser fingerprints
19:42:25hearn:javascripts ,etc
19:42:26jgarzik:hearn, the local Chinese shop will just stop delivering to the asshole that tried to double-spend a dinner.
19:42:40jgarzik:Any large amount will be subject to confirmations by standard practice.
19:42:47phantomcircuit:shrug
19:43:07phantomcircuit:hearn, you're wrong, im not going to censor myself because you disagreew
19:43:09phantomcircuit:disagree*
19:43:16jgarzik:Therefore the double-spending impact is limited to (a) small amounts and (b) situations of instant digital delivery, and usually (c) where delivery is anonymous and customer info is lacking at the merchant.
19:43:45hearn:yes requiring merchants to ID verify all their customers is one solution, but it’s hardly pleasant for the user or merchant
19:44:08hearn:the ideal payment system would allow anonymous purchasers to purchase, with no double spending risk.
19:44:14phantomcircuit:that is not what he's suggesting
19:44:17hearn:bitcoin is a lot closer to this ideal than credit cards, but still isn’t ideal
19:44:26jgarzik:* jgarzik never presented nor proposed a solution, nor recommended ID checks. You are reading way too much into the words.
19:44:42stephenreed:andytoshi: I lurk here now thanks to your tip
19:44:46hearn:yeah, you did, you said “the chinese shop will not deliver to the asshole again” i.e. the customers are being ID verified by street address
19:44:47jgarzik:These incentives exist today. These are statements of fact, not suggestions.
19:44:55phantomcircuit:jgarzik, afaict there is no problem
19:45:02jgarzik:phantomcircuit, pretty much
19:45:04hearn:which is great if you’re delivering to someone’s street address and not so great if the asshole just picks the pizza up
19:45:35andytoshi:stephenreed: oh, hey steven
19:45:42jgarzik:hearn, That's a one time attack. Will the business go under due to that? No, they will just stop serving that customer.
19:46:11jgarzik:hearn, not cost effective to attack that way
19:46:20andytoshi:stephenreed: normally this channel is much quieter and much wonkier :)
19:47:21jgarzik:hearn, It is easy to think up a one-time double-spend attack. But those will necessarily be very low reward and not cost effective.
19:47:29jgarzik:to make money, you need a stream of double spends
19:47:47jgarzik:otherwise, congratulations, you just stole $5 worth of goods, and cannot ever pull off that attack at that site again.
19:49:00hearn:well, this is true sometimes, but the existence of professional carders rather implies that a lot of them can do it again and again
19:49:05hearn:and they’re not all buying stuff mail order either
19:49:45hearn:i’ve seen cases where carders were buying things like flight tickets, believe it or not
19:50:07hearn:so, pretty expensive.
19:50:08jgarzik:flight tickets won't get double-spent
19:50:16jgarzik:that's a revocable
19:50:51iddo:jgarzik: what if you double-spend on a physical item that's worth a lot of money, then the merchant (who has your id / street address) goes to the judge with the losing chain that has your other signature, and you tell the judge that someone stole your privkey and signed it (or whatever, there's plausible deniability, no?)
19:50:53jgarzik:People who sell tickets for BTC already covered that angle, long ago.
19:51:13jgarzik:iddo, "worth a lot of money" -> logic failed there
19:51:27jgarzik:iddo, standard practice is to wait for confirmation, for any non-small amount of money
19:51:52iddo:you mean, if you buy a car with bitcoins, wait for more than 6 confirmations?
19:51:58jgarzik:iddo, yes
19:52:21iddo:ok, assuming that merchants are prudent...
19:52:32nsh:prudence is economically self-correcting
19:53:00hearn:only if you’re a professional car seller who can tolerate the loss of some cars ….. consider someone who just wants to sell theirs second hand
19:53:30hearn:having to hang around for hours with buyer and seller stuck in place, sucks. i was thinking of smart property to solve that but it’s hardly practical in the short term
19:53:46iddo:there can be competition among merchants, i.e. one merchant can say "i'm only waiting for 6 confirmations" for this (high-value) item, etc.
19:53:58hearn:so i bet in practice people will take the risk and get burned
19:54:20nsh:(some people) getting burned is part of the systemic process of discovering acceptible levels of risk
19:54:21hearn:though cars may be a special case
19:55:38iddo:i suppose that it isn't really the case right now that merchants evaluate how many confirmations to wait for, based on the value of the item...?
19:56:21iddo:for example, fiat/BTC exchanges always wait for no more than 6 confirms, even if you deposit a large amoung of BTC, right?
19:58:06jgarzik:Practically speaking, if I was selling my car for BTC, I would just wait for one confirm, maybe two at most.
19:58:42jgarzik:"hang around for hours" is quite exaggerated, for the needed level of security for such a TX
19:59:26amiller:cars have lots of tracking details, they're a bad example anyway
19:59:50iddo:what if the buyer tries to bribe large pools, and share profit from the double-spending with the pools?
19:59:57hearn:jgarzik: it’s not so uncommon to have a single block take nearly an hour though, right
20:00:03hearn:it’s not exactly 10 mins each time
20:00:15hearn:so sometimes people will say, let’s wait for a block, and then it’s unusually slow and they just give up
20:00:24hearn:though that maybe useless for a double spender as they can’t predict it eithe
20:00:40gmaxwell:;;tslb 3600
20:00:41gribble:(tslb takes no arguments) -- Shows time elapsed since latest generated block. This uses the block timestamp, so may be slightly off clock-time.
20:00:47gmaxwell:;;tblb 3600
20:00:48gribble:The expected time between blocks taking 1 hour and 0 seconds to generate is 5 days, 10 hours, 17 minutes, and 41 seconds
20:01:19iddo:amiller: but there's plausible deniability, no? you can say that transferred the BTC to buy the car, and someone else stole your privkey and double-spent?
20:01:25gmaxwell:so an hour should be a weekly thing, assuming hashrate isn't growing; less often if it is more often if its shrinking.
20:01:31andytoshi:..and yet somehow it will always take an hour exactly when you're trying to sell your damn car :)
20:01:46jgarzik:gives new meaning to the term "weekly swap meet"
20:02:50andytoshi:my feeling is that when ordinary people are using bitcoin, we will probably have banks involved. so if you wanna buy a car, you go get a money order the day before
20:03:11iddo:jgarzik: so if you wait for 1 or 2 confirms, and buyer of the car tries to bribe large pools to double-spend and share profits with them, it might be a plausible attack?
20:03:29andytoshi:then it's on the bank to wait for confirmations before honouring the money order
20:03:35jgarzik:iddo, still implausible
20:03:58iddo:because of pool's reputation?
20:04:08jgarzik:iddo, doing that once is difficult. doing it multiple times nearly impossible.
20:05:05iddo:yes, just once... you want to buy the car for less money by carrying out a double-spending attack
20:06:41jgarzik:iddo, the payoff for a one-time attack is too small, versus consequences for the pool participating
20:07:23iddo:payoff for the pool, right? i.e. it will hurt the long-term reputation of the pool?
20:07:30jgarzik:Any in-person meeting + stolen good gives the police a lot to work with
20:08:13jgarzik:The pool has to gain something, otherwise it will not bother to help with an attack.
20:09:05iddo:yes, part of the double-spent BTC will be then sent to the pool operator
20:09:36iddo:it's true that if there's collusion with the pool then it gives the police something to work with
20:10:15hearn:well, assuming non-anonymous miners. but really they’re meant to be anonymous
20:10:21hearn:gosh double spending is a fun problem to think about isnt it :)
20:10:29iddo:but unless you have evidence of human communication, i.e. it's just BTC transfers, there's plausible deniability i guess
20:11:49hearn:not very plausible
20:14:56iddo:also it's possible to try bribe attack without human communication (and even if everyone were using p2pool), by offering large miner fees in the hostile chain
20:17:58iddo:if you only wait for 1 or 2 confirmations, then maybe miners will assess that mining the hostile chain is worth the risk (i.e. doing PoW work on a chain that has 1 or 2 blocks deficit relative to the main chain)
20:19:17iddo:(there's old bitcointalk on that, title is "double double spend")
20:19:31iddo:s/bitcointalk/bitcointalk thread
20:37:48stqism:stqism is now known as stqism`
20:37:54stqism`:stqism` is now known as stqism
20:42:45stqism:stqism is now known as gribble`
20:42:58gribble`:gribble` is now known as stqism
21:11:36shinybro__:shinybro__ is now known as shinybro_